Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware

The Hacker News by The Hacker News
May 25, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


May 25, 2025Ravie LakshmananThreat Intelligence / Software Security

Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework.

The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena.

“Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory, evading traditional antivirus tools,” security researchers Anna Širokova and Ivan Feigl said. “Once installed, it quietly connects to attacker-controlled servers – mostly hosted in Hong Kong – to receive follow-up instructions or additional malware.”

The attacks, like those that have deployed Winos 4.0 in the past, appear to focus specifically on Chinese-speaking environments, with the cybersecurity company calling out the “careful, long-term planning” by a very capable threat actor.

Winos 4.0 (aka ValleyRAT) was first publicly documented by Trend Micro in June 2024 as used in attacks targeting Chinese-speaking users by means of malicious Windows Installer (MSI) files for VPN apps. The activity has been attributed to a threat cluster it tracks as Void Arachne, which is also referred to as Silver Fox.

Cybersecurity

Subsequent campaigns distributing the malware have leveraged gaming-related applications like installation tools, speed boosters, and optimization utilities as lures to trick users into installing it. Another attack wave detailed in February 2025 targeted entities in Taiwan via phishing emails that purported to be from the National Taxation Bureau.

Built atop the foundations of a known remote access trojan called Gh0st RAT, Winos 4.0 is an advanced malicious framework written in C++ that makes use of a plugin-based system to harvest data, provide remote shell access, and launch distributed denial-of-service (DDoS) attacks.

Winos 4.0 Malware
QQBrowser-Based Infection Flow Observed in February 2025

Rapid7 said all the artifacts flagged in February 2025 relied on NSIS installers bundled with signed decoy apps, shellcode embedded in “.ini” files, and reflective DLL injection to covertly maintain persistence on infected hosts and avoid detection. The entire infection chain has been given the moniker Catena.

“The campaign has so far been active throughout 2025, showing a consistent infection chain with some tactical adjustments – pointing to a capable and adaptive threat actor,” the researchers said.

The starting point is a trojanized NSIS installer impersonating an installer for QQ Browser, a Chromium-based web browser developed by Tencent, that’s designed to deliver Winos 4.0 using Catena. The malware communicates with hard-coded command-and-control (C2) infrastructure over TCP port 18856 and HTTPS port 443.

Winos 4.0 Malware
From LetsVPN Installer to Winos 4.0 in April 2025

Persistence on the host is achieved by registering scheduled tasks that are executed weeks after the initial compromise. While the malware features an explicit check to look for Chinese language settings on the system, it still proceeds with the execution even if that’s not the case.

This indicates it’s an unfinished feature and something that’s expected to be implemented in subsequent iterations of the malware. That said, Rapid7 said it identified in April 2025 a “tactical shift” that not only switched some of the elements of the Catena execution chain, but also incorporated features to evade antivirus detection.

Cybersecurity

In the revamped attack sequence, the NSIS installer disguises itself as a setup file for LetsVPN and runs a PowerShell command that adds Microsoft Defender exclusions for all drives (C: to Z:). It then drops additional payloads, including an executable that takes a snapshot of running processes and checks for processes related to 360 Total Security, an antivirus product developed by Chinese vendor Qihoo 360.

The binary is signed with an expired certificate issued by VeriSign and allegedly belongs to Tencent Technology (Shenzhen). It was valid from 2018-10-11 to 2020-02-02. The primary responsibility of the executable is to reflectively load a DLL file that, in turn, connects to a C2 server (“134.122.204[.]11:18852” or “103.46.185[.]44:443”) in order to download and execute Winos 4.0.

“This campaign shows a well-organized, regionally focused malware operation using trojanized NSIS installers to quietly drop the Winos 4.0 stager,” the researchers said.

“It leans heavily on memory-resident payloads, reflective DLL loading, and decoy software signed with legit certificates to avoid raising alarms. Infrastructure overlaps and language-based targeting hint at ties to Silver Fox APT, with activity likely aimed at Chinese-speaking environments.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
AI drives growth for a few Chinese companies. Analysts share their picks

AI drives growth for a few Chinese companies. Analysts share their picks

Recommended.

Powerfleet Provides Business Update Ahead of Upcoming Craig-Hallum and William Blair Conferences

Powerfleet Provides Business Update Ahead of Upcoming Craig-Hallum and William Blair Conferences

May 23, 2025
CFIT publishes blueprint for digital company business IDs | Computer Weekly

CFIT publishes blueprint for digital company business IDs | Computer Weekly

March 6, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio